AD user flags

[Jan Nielsen]

In an aspx web page, I'm trying to read out some attributes regarding
password settings like UF_PASSWD_NOTREQD, UF_PASSWD_CANT_CHANGE,
UF_DONT_EXPIRE_PASSWD and UF_PASSWORD_EXPIRED.

According to the documentation userAccountControl seems to be an integer
containing these. However only the bit UF_DONT_EXPIRE_PASSWD seems to be
updated properly. The other three flags are reset no matter what I do to the
user account. Using ADSI Edit it seems like
"msDS-User-Account-Control-Computed" can be used to determine
UF_PASSWORD_EXPIRED, but trying to read this attribute using DirectoryEntry
etc. causes an exception to occur.
iFlags =
(int)objAccount.Properties["msDS-User-Account-Control-Computed"].Value;

It seems like this attribute is not in the collection.

How should I read these properties in asp.net ???


Thanks in advance,
Jan Nielsen

 

[Jeffrey Tan[MSFT]]

Hi Jan,

Based on my understanding, you want to get some password related flags of
certain user.

I think you should use userAccountControl property to get these flags
instead of using "msDS-User-Account-Control-Computed".

Also, after you change your user account, it may need a little time to
update the property. So you should re-query the change some time later.

Please apply my suggestion above and let me know if it helps resolve your
problem.

Thank you for your patience and cooperation. If you have any questions or
concerns, please feel free to post it in the group. I am standing by to be
of assistance.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Jan Nielsen]

Hi Jeffrey,

Thanks for your reply.

I've now tried to wait for a few hours, and neither the
UF_PASSWD_CANT_CHANGE (0x0040) bit nor
UF_PASSWORD_EXPIRED (0x800000) bit gets updated in userAccountControl.

I'm sure it's not caused by replication delay, as I'm updating and querying
the same DC. And the UF_DONT_EXPIRE_PASSWD (0x10000) bit gets updated right
away.

For a user that have "User cannot change password" and "Password never
expires" checked, the value I read in userAccountControl is 0x10200. I would
expect it to be 0x10240.


Kind regards,
Jan Nielsen

 

[Jeffrey Tan[MSFT]]

Hi Jan,

Thanks for your feedback.

Have you used ADSI Edit to view the userAccountControl property?

I think we should first determine if the problem is due to your C# program
or the other problem.

The DirectoryService should will get the same value as you say in ADSI
Edit. So I think you should first test without program:

First view your normal account's userAccountControl property, it should be
512, that is UF_NORMAL_ACCOUNT(0x00200). Then, you may use your DC to
change this account's password setting. Then, you should refer the change
again through ADSI Edit.(Remember to refresh it)

If the value only reflects out the UF_DONT_EXPIRE_PASSWD flag and is the
same result as the program get, it means the problem has nothing to do with
the program, but other setting.

Thank you for your patience and cooperation. Please feel free to feedback.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Jeffrey Tan[MSFT]]

Hi Jan,

Have you tried my suggestion to use ADSI Edit to get the result? Is the
flag affected?

Please feel free to feedback, I will help you. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Jan Nielsen]

Hi Jeffrey,



ADSI Edit reports the same values as my C# program.

A user who has a password that does not expire reports 0x10200.

A normal user reports 0x00200.



No other flags, among the ones I'm interested in, seem to affect this value.



Kind regards,
Jan Nielsen

 

[Jeffrey Tan[MSFT]]

Hi Jan,

Thanks for your feedback.

Because the ADSI Edit gets the same result as C# program, I think the
problem is not the ADSI, it should be the setting of your Active Directory
of your domain setting.

You may consult this issue in microsoft.public.win2000.active_directory or
microsoft.public.win2000.group_policy to fix it.

Once your setting is correct, I think you should get the correct affected
value. Thanks for your understanding.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.